SSD Advisory – TrustPort Management Unauthenticated Remote Code Execution

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

Vulnerability Summary
Multiple vulnerabilities in TrustPort’s management product allow remote unauthenticated attackers to cause the product to execute arbitrary code.

TrustPort Management “offers you an effective and practical way to install centrally, configure and update antivirus software in your network and it enables mass administration of TrustPort products. Central administration from TrustPort brings you simple application of corporate security policies, monitoring of security incidents or the remote starting of tasks”.

Vendor Response
The vulnerability was reported to the vendor on March 6th, the following response was received on the 6th of March:
“thanks for information. We are going to correct the errors in following version of the SW.”

No further response was received, though 3 more emails were sent by us to the company between the March 6th and the date of publication. We have no idea of how to resolve this bug, the only workaround is to not expose the administrative port to untrusted networks.

Credit
An independent security researcher, Ahmed Y. Elmogy, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vulnerability Details
1. Pre-auth remote code execution vulnerability (as SYSTEM) in https://host:20394/get/settings-set-user.php.

Requirements: No authentication is required to exploit this vulnerability.

Vulnerable lines 25 to 29:

No validation is being done on user input before using eval on it.

Exploitation request:

Response:

2. Pre-auth remote code execution vulnerability (as SYSTEM) in https://host:20394/get/settings-set-user-perms.php

Requirements: No authentication is required to exploit this vulnerability.

Vulnerable lines 16 to 25:

No validation is being done on user input before using eval on it.

Exploitation request:

Response:

3. Pre-auth remote arbitrary file disclosure/deletion in https://host:20394/get/manage-get-stations-add.php
Requirements: No authentication is required to exploit this vulnerability, requires combination with another minor vulnerability to be exploitable.

Restrictions: The file disclosed will be deleted after that, unless the “exploiter” manages somehow to race the PHP code before that happens (I doubt).

Vulnerable code, line 74 to 76:

Where export_download_file is:

So this couldn’t be directly exploited because it actually views the contents of the path, that’s written in a file (idk what could be the purpose of this function), but I found another minor file upload vulnerability (no .php extensions) that helps exploiting this. In /get/settings-set-backup.php,

Vulnerable code:

This requires no authentication, and will create file restore_bkp_ (as _SESSION[‘useruid’] would be null) with whatever content we want (the path we want to disclose and consequently delete of course).

Exploitation requests:

Then to disclose/delete the contents of C:private.txt:

And response:



*** This is a Security Bloggers Network syndicated blog from SecuriTeam Blogs authored by SSD / Noam Rathaus. Read the original post at: https://blogs.securiteam.com/index.php/archives/3685